Five inmates from the Marion Correctional Institution (MCI) built two computers from spare parts, hid them in the ceiling of a training room closet, and used them to hack into the prison's network.
Their actions were discovered in July 2015, when the prison's IT staff switched internal proxy servers from Microsoft to WebSense (now part of Forcepoint).
These servers, designed to monitor and report suspicious traffic, immediately started reporting issues.
Prison IT staff started receiving weird alerts
In the beginning, MCI admins received reports that the user account, belonging to a prison contractor, was exceeding daily traffic quotas. While other employees had also surpassed their daily traffic threshold, the problem was that these reports were coming in the days when that employee was off duty.
Things got weirder a few days later when admins received reports that the same employee was attempting to avoid the traffic monitoring proxies.
At this point, the prison's IT staff decided to investigate further. Their suspicion that something was wrong was confirmed moments later when they traced back the traffic to a computer with the name "-lab9-", a name inconsistent with the prison's internal computer naming scheme.
Computers hid in a closet's ceiling
The prison staff started an investigation and tracked suspicious network traffic to port 16 of a switch located in the prison's P3 training room.
When they got to the switch, IT staffers followed the network cable plugged into port 16 to a nearby closet, and up into the ceiling. Removing the ceiling tiles, prison employees found two fully-working computers, placed on two pieces of plywood.
Inmates used parts from prison's recycling program
According to a report released yesterday by the Ohio Department of Rehabilitation and Correction's (ODRC), the agency says it identified the five prisoners who built the PCs.
The five inmates managed to build their two PCs because they were part of the prison's Green Initiative program where they worked in trash management and electronics recycling.
Inmates hacked prison network
A forensic analysis of the hard drives found in the two PCs found legitimate software, hacking tools, and traces of illegal activities. According to the Office of the Ohio Inspector General, the two hard drives contained:
Accessing of inmate data via DOTS.
The issuance of passes for inmates to gain access to multiple areas within MCI.
A Bloomberg Business article on tax refund fraud.
Submissions of five credit card applications in the name of other inmates (data they obtained from DOTS).
Conversations with family members.
CC Proxy - a proxy server for Windows.
Cain - hacking tool for password recovery.
Zed Attack Proxy (ZAP) - vulnerability scanner.
Wireshark - network traffic packet analyzer.
NMap - network mapping and security auditing tool.
ZenMap - security scanner and GUI for NMap.
Webslayer - hacking tool for launching brute-force attacks
JanaServer - multi-platform proxy server.
Yoshi - email spamming tool.
AdvOr Tor Browser - a variation of the Tor Browser.
THC Hydra - password cracking tool.
Cavin - editor for encrypting and decrypting text.
Paros - Java-based proxy server and MitM tool.
3CXVoip Phone - free VOIP tool for Windows.
VirtualBox - virtual machine software with Kali Linux installed.
TrueCrypt - full-disk encryption tool.
CC Cleaner - tool for system optimization, privacy, and cleaning.
VideoLan - multimedia player
Clamwin - antivirus
phpBB - open-source forum software
SoftEther VPN
OpenVPN
Custom-crafted software
According to investigators, the inmates used these tools to capture network traffic, move laterally in the prison's network, crack passwords for active user accounts, and use these accounts to access the prison's network.
They used this access to collect personal information for other inmates, apply for credit cards in the names of other inmates, and issued passes for other inmates.
Prison staff shares some of the blame
Following the discovery of these tools and inmates actions, the ODRC moved the suspects to other institutions in November 2015.
The Office of the Ohio Inspector General also found that MCI staffers were also at fault. First for failing to supervise inmates (who built two frickin' computers while in prison), and second for failure to force employees to change passwords every 90 days.
The findings from this investigation have been forwarded to the
Marion County Prosecutor’s Office and the Ohio Ethics Commission for consideration of any punishments.
Comments
BattIefists - 7 years ago
That's something you don't see everyday, hah.
GT500 - 7 years ago
What's "CC Cleaner"?
Angoid - 7 years ago
Probably nothing more than a typo for "Ccleaner" as supplied by Piriform:
https://www.piriform.com/ccleaner/download
campuscodi - 7 years ago
That's how it was spelled in the report. I also presume it's CCleaner.
Angoid - 7 years ago
I figured it was a copy and paste from a report. Another one is VirtualBox, which is a virtualisation tool and does not come with Kali Linux on it by default (as that reports suggests in its wording). Kali Linux (a special Linux distro used for penetration testing) would have to be installed as a guest OS into VirtualBox as a separate action.
GT500 - 7 years ago
Sorry, my question was a bit sarcastic. I just never understood why so many people say/type "CC Cleaner" instead of "CCleaner".
TheDcoder - 7 years ago
Those are some crafty prisoners, I wonder what crime they committed to go for prison?
danwat1234 - 7 years ago
On Nightly Business Report on April 10-12th, they visit San Quentin prison where some prisoners are a part of "The Last Mile" (Business Behind Bars the show calls it), where they code in prison. They have a virtual internet. The goal is to make them feel good, make them have a better chance of success after leaving prison, and to never come back. That's the 10th and 11th of April episodes, the last segment of the episodes. On the 12th, it is about a prisoner who trades stocks!! Quite stimulating, wouldn't you say? -Worf.
10th; https://youtu.be/UuzumMfqM68?t=23m
11th; https://youtu.be/LXxRwlMFCZ8?t=22m18s
12th; https://youtu.be/Zjjg3O-cUxc?t=22m27s
danwat1234 - 7 years ago
Reply to this one, this one I'll get an email when you reply. -danwat1234